Scribd Logo
Upload

Welcome to Scribd!

  • IP Over IP

    Uploaded by

    quocirca
    44 views13 pages
    Convergence can lead to greater security risks. - Everything is now accessible via a single transport - Everything is stored in a similar way - information disruption and theft is more attractive.

    Original Description:

    Original Title

    IP over IP

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Convergence can lead to greater security risks. - Everything is now accessible via a single transport - Everything is stored in a similar way - information disruption and theft is more attractive.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    44 views13 pages

    IP Over IP

    Uploaded by

    quocirca
    Convergence can lead to greater security risks. - Everything is now accessible via a single transport - Everything is stored in a similar way - information disruption and theft is more attractive.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 13

    IP over IP

    The impact of convergence on information value

    Clive Longbottom,
    Service Director, Quocirca Ltd
    Context

    • Convergence provides cost savings


    – Via single management
    – Via single transport
    • Convergence provides greater capabilities
    – Greater integration
    – Better response times
    • But…
    • Convergence can lead to
    greater security risks

    © 2007 Quocirca Ltd


    The Lure of Convergence

    • One technology, one set of wires, one means of


    management
    • Brings together data, voice, video
    • Enables multi-channel businesses to act more coherently

    • But:
    – Everything is now accessible via a single transport
    – Everything is stored in a similar way
    – Information disruption and theft is more attractive

    © 2007 Quocirca Ltd


    The old days

    • Data security based on discrete approaches


    – Application security
    – Perimeter security
    – End Point security
    – VPN transport security
    • Encryption seen as a discrete, manual solution

    © 2007 Quocirca Ltd


    Issues

    • More deperimeterisation in the


    value chain
    – Mobile workers
    – Contractors/consultants
    – Suppliers and customers
    • More data at rest
    – Less of it fully secured
    – More of it duplicated
    • More data in movement
    – Can you count on it being
    secure?

    © 2007 Quocirca Ltd


    The Perception of Security

    • Our systems are protected by:


    – A firewall
    – Database security
    – Challenge/response access
    – VPNs
    – Anti-virus/spyware

    • Therefore, we must be secure

    © 2007 Quocirca Ltd


    The Reality

    • The Firewall is like Swiss Cheese


    – Ports have been opened all over
    the place
    • Database security only protects
    what’s in the database
    – That’s less than 20% of an
    organisation’s data
    • Challenge/response is no answer
    – Look for yellow sticky notes stuck to the
    screen of the laptop
    • VPNs are good..
    – …but if breached, provide a secure tunnel
    back in to the organisation
    • Also – look at rogue WiFi access points, P2P
    software, rogue USB hardware, etc, etc…
    © 2007 Quocirca Ltd
    What needs to be done?

    • Intellectual property is carried in documents – less so in


    application databases
    • Intellectual property should be secured at the point of
    creation
    • Intellectual property should be accessible by role and
    individual
    – But the rights should be capable of being immediately
    revoked
    – Need to be extended to suppliers, customers as well
    as contractors and consultants

    © 2007 Quocirca Ltd


    Encryption

    • Data encryption has been around for ever


    – But highly technically sold
    • Data encryption should be as transparent as possible to
    the user
    • The use of central policies driving automated encryption
    has to be utilised

    © 2007 Quocirca Ltd


    The Hybrid Approach

    • Remember that the majority of information thefts are


    still opportunistic
    – Being more secure than someone else may be enough
    • Worry that many information thefts are targeted
    – If your business is heavily based on intellectual
    property, you can’t risk it
    • Secure via:
    – Information security
    – Transport security
    – Application security
    – Database security
    – Device security
    – Biometrics
    © 2007 Quocirca Ltd
    Other concerns

    • Do everything to stop accidental leakage


    – Limit routing
    • Use formal workflows to ensure specific flows
    – Stop email forwarding
    • Also saving of attachments
    – Prevent printing
    – Prevent cut and paste
    • Create solid guidance to stop purposeful leakage
    – Use of special screen-grab programs
    – Use of cameras
    – Manual copying of information

    © 2007 Quocirca Ltd


    Prevention and Cure

    • Don’t let a problem get to the network


    • If it gets to the network, don’t let it get to a device
    • If it gets to a device, don’t let it do anything
    • If its does anything, don’t let it get to the information
    • If it gets to the information, make the information
    useless

    • It’s the information that counts


    – Devices can be replaced
    – Time can be recouped to a degree
    – Lost information kills the business

    © 2007 Quocirca Ltd


    Conclusions

    • Intellectual property is the life blood of many


    organisations
    – Leaving important information at rest or on the move
    in the clear should not be tolerated
    • Encryption technologies have to be easy to use
    – Policy driven approaches can drive needs and hide
    technical complexity
    • Security has to be multi-layered
    – Although its not the device or the network that really
    matters, pragmatism, loss of time and need for
    specific skills dictates the need for multi-layered
    security

    © 2007 Quocirca Ltd

    You might also like